Morrisons staff are to be awarded a payout over a data breach that occurred when a disgruntled former member of its staff stole the data of thousands of employees and posted it online.
The case is the first data leak class action in the UK.
Morrisons has been found liable for the actions of the employee by the High Court with the ruling opening the possibility for 94,000 people affected to bring a compensation claim, lawyers said.
Workers brought a claim against the company after employee Andrew Skelton stole the data, which included salary and bank details, of nearly 100,000 staff.
Skelton, then a senior internal auditor at the retailer’s Bradford headquarters, posted the payroll information in 2014, including names, addresses, bank account details and salaries, online and and sent it to newspapers.
He was jailed for eight years in July 2015 after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data.
His motive appeared to have been a grudge over an incident when he was accused of dealing in legal highs at work.
Lawyers said the data theft meant a group of 5,518 former and current employees were exposed to the risk of identity theft and potential financial loss and that the company was responsible for breaches of privacy, confidence and data protection laws.
A second trial will be held to determine the amount Morrisons must pay in damages.
Following the ruling, Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, who acted for the claimants, said:
“We welcome the judgment and believe that it is a landmark decision, being the first data leak class action in the UK. Every day, we entrust information about ourselves to businesses and organisations. We expect them to take responsibility when our information is not kept safe and secure.
“The consequences of this data leak were serious. It created significant worry, stress and inconvenience for my clients. Data breaches are not a trivial or inconsequential matter. They have real victims. At its heart, the law is not about protecting data or information – it is about protecting people.”
The judge ruled that vicarious liability, but not primary liability, had been established. He said:
‘I hold that the Data Protection Act (DPA) does not impose primary liability upon Morrisons; that Morrisons have not been proved to be at fault by breaking any of the data protection principles, save in one respect which was not causative of any loss; and that neither primary liability for misuse of private information nor breach of confidentiality can be established. A security breach saw payroll data of nearly 100,000 workers being put online
‘I reject, however, the arguments that the DPA upon a proper interpretation is such that no vicarious liability can be established, and that its terms are such as to exclude vicarious liability even in respect of actions for misuse of private information or breach of confidentiality.’ He added: ‘The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of Skelton were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims.
‘I grant leave to Morrisons to appeal my conclusion as to vicarious liability, should they wish to do so, so that a higher court may consider it, but would not, without further persuasion, grant permission to cross-appeal my conclusions as to primary liability.’
‘Every day, we entrust information about ourselves to businesses and organisations. We expect them to take responsibility when our information is not kept safe and secure. ‘In the Morrisons case, almost 100,000 bank account details, National Insurance numbers and other data was entrusted to a fellow employee to look after. Instead, however, he uploaded the information to the internet. ‘This private information belonged to my clients. They are Morrisons checkout staff, shelf stackers, factory workers – ordinary people doing their jobs. ‘The consequences of this data leak were serious. It created significant worry, stress and inconvenience for my clients.’
Morrisons has been granted leave to appeal against the decision.